The Infections That Will Not Die: Conficker and AutoRun

One of the wonderful things about some pieces of malware is that, like that slightly dodgy uncle who never seems to have a job, they never really go away. They just sort of hang about in the background, waiting for the right time to hit you up for some spare cash or CPU cycles. It appears that the once-celebrated and now nearly forgotten Conficker malware has entered that realm.

ConfickerOne of the wonderful things about some pieces of malware is that, like that slightly dodgy uncle who never seems to have a job, they never really go away. They just sort of hang about in the background, waiting for the right time to hit you up for some spare cash or CPU cycles. It appears that the once-celebrated and now nearly forgotten Conficker malware has entered that realm.

Conficker once was the golden boy of malware, the favored child who could do no wrong. It was the subject of countless stories in the tech and mainstream press alike, and inspired an absurd amount of breathless predictions of the Internet’s doom in the spring of 2009. Since then, little has been heard from the worm and everyone has moved on to several other Internet-killing pieces of malware. However, Conficker hasn’t exactly disappeared; it’s simply been overtaken by larger events.

In fact, Conficker, by some measures, still accounts for a fairly decent amount of the malware infections seen each month. A new report from ESET shows that the worm is still quite active, accounting for nearly 4 percent of all malware infections detected in 2011. That number is down more than 50 percent from the year before, but it’s still a sad indication of how little attention some groups of people pay to patching their machines. The patch for the main vulnerability that Conficker uses to infect PCs has been available since late 2008.

“It’s important to note that it’s possible to avoid most Conficker infection risks generically, by practicing ‘safe hex’: keep up-to-date with system patches, disable Autorun, and don’t use unsecured shared folders. In view of all the publicity Conficker has received and its extensive use of a vulnerability that’s been remediable for so many months, we’d expect Conficker infections to be in decline by now if people were taking these commonsense precautions,” ESET researchers said in the report.

Conficker claimed second place in the list of most prevalent threats of 2011 from ESET, and the only one that finished ahead of it is even older and mustier: AutoRun infections. Malware and worms have been using the AutoRun functionality in Windows to spread for several years now and the infection vector became such a problem that Microsoft in February of last year pushed out an update that disabled AutoRun functionality in some machines.

Within four months of that fix being pushed out through Windows Update, Microsoft officials reported that the infection rate of malware that uses AutoRun had dropped by 68 percent. However, the fix that disabled the featrure was an optional one, so not every user who has access to it has necessarily installed it. Clearly, that’s still having an effect on infections, as ESET’s data shows.

“The default Autorun setting in Windows will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. There are many types of malware that copy themselves to removable storage devices: while this isn’t always the program’s primary distribution mechanism, malware authors are always ready to build in a little extra ‘value’ by including an additional infection technique,” ESET’s report said.

Suggested articles